Merge pull request #820 from rstudio/filter-sarif-paths

Filter SARIF paths on images with >20 paths

.github/workflows/build-bake-preview.yaml

@@ -77,7 +77,7 @@ jobs:
     steps:
       - name: Check Out main Branch
         if: github.event.schedule == '0 8 * * *'
-        uses: actions/checkout@v3
+        uses: actions/checkout@v4
         with:
           ref: 'main'
 
@@ -104,7 +104,7 @@ jobs:
 
   connect-daily:
     needs: [versions]
-    name: Connect Image - Daily
+    name: Connect - Daily
     runs-on: ubuntu-latest-4x
 
     env:

docker-bake.hcl

@@ -461,12 +461,12 @@ target "workbench-for-google-cloud-workstations" {
     tags = [
         "us-central1-docker.pkg.dev/posit-images/cloud-workstations/workbench:${tag_safe_version(WORKBENCH_VERSION)}",
         "us-central1-docker.pkg.dev/posit-images/cloud-workstations/workbench:latest",
-        "us-docker.pkg.dev/posit-images/cloud-workstations/workbench:${tag_safe_version(WORKBENCH_VERSION)}",
-        "us-docker.pkg.dev/posit-images/cloud-workstations/workbench:latest",
         "europe-docker.pkg.dev/posit-images/cloud-workstations/workbench:${tag_safe_version(WORKBENCH_VERSION)}",
         "europe-docker.pkg.dev/posit-images/cloud-workstations/workbench:latest",
         "asia-docker.pkg.dev/posit-images/cloud-workstations/workbench:${tag_safe_version(WORKBENCH_VERSION)}",
         "asia-docker.pkg.dev/posit-images/cloud-workstations/workbench:latest",
+        "us-docker.pkg.dev/posit-images/cloud-workstations/workbench:${tag_safe_version(WORKBENCH_VERSION)}",
+        "us-docker.pkg.dev/posit-images/cloud-workstations/workbench:latest",
     ]
 
     dockerfile = "Dockerfile.${builds.os}"

r-session-complete/.snyk

@@ -11,7 +11,10 @@ ignore:
         created: 2024-07-02T20:33:30.847Z
   SNYK-GOLANG-GITHUBCOMGOJOSEGOJOSEV3-6070737:
     - '*':
-        reason: 'Reported upstream in https://github.com/rstudio/openid/issues/18'
-        expires: 2024-07-31T00:00:00.000Z
-        created: 2024-07-02T20:52:24.627Z
+        reason: >-
+          Confirmed fixed upstream in
+          https://github.com/rstudio/rstudio-pro/issues/6635. Patch will be
+          ingested in Workbench 2024.08.0 (expected within 1 week).
+        expires: 2024-08-07T00:00:00.000Z
+        created: 2024-07-31T17:46:24.852Z
 patch: {}

tools/snyk_bake_artifacts.py

@@ -17,6 +17,15 @@
 LOGGER = logging.getLogger(__name__)
 SNYK_ORG = os.getenv("SNYK_ORG")
 SERVICE_IMAGES = ["workbench-for-microsoft-azure=ml", "workbench-for-google-cloud-workstations"]
+SARIF_PATH_FILTERS = {
+    "connect": ["/opt/rstudio-connect/examples"],
+    "workbench-for-google-cloud-workstations": [
+        "/usr/lib/google-cloud-sdk",
+        "/usr/share",
+        "/usr/bin",
+        "/usr/local/go",
+    ],
+}
 
 PROJECT_DIR = Path(__file__).resolve().parents[1]
 
@@ -78,7 +87,8 @@ def build_snyk_command(target_name, target_spec, snyk_command, opts):
                 f"--file={str(docker_file_path)}",
                 "--platform=linux/amd64",
                 f"--project-name={target_spec['tags'][-1]}",
-                f"--sarif-file-output=container.sarif",
+                "--sarif-file-output=container.sarif",
+                "--json-file-output=container.json",
                 "--severity-threshold=high",
                 f"--policy-path={target_spec['context']}",
             ])
@@ -112,6 +122,36 @@ def build_snyk_command(target_name, target_spec, snyk_command, opts):
     return cmd
 
 
+def filter_sarif_file(target_spec):
+    with open("container.sarif", "r") as f:
+        c_sarif = json.load(f)
+    with open("container.json", "r") as f:
+        c_json = json.load(f)
+    c_sarif_paths = c_sarif["runs"]
+    c_sarif_root = c_sarif_paths.pop(0)
+    c_json_paths = c_json["applications"]
+    filter_paths = SARIF_PATH_FILTERS.get(target_spec["context"], [])
+    filtered_c_sarif_paths = [c_sarif_root]
+    if len(c_sarif_paths) != len(c_json_paths):
+        LOGGER.error("SARIF and JSON number of discovered paths do not match")
+        return
+    for i in range(len(c_sarif_paths)):
+        if c_json_paths[i]["dependencyCount"] != c_sarif_paths[i]["tool"]["driver"]["properties"]["artifactsScanned"]:
+            LOGGER.warning(
+                f"Artifact count in JSON, {c_json_paths[i]['dependencyCount']}, "
+                f"differs from artifact count in SARIF, "
+                f"{c_sarif_paths[i]['tool']['driver']['properties']['artifactsScanned']}, for "
+                f"{c_json_paths[i]['displayTargetFile']}. This may cause incorrect filtering in the SARIF file."
+            )
+        if not any(p in c_json_paths[i]["targetFile"] for p in filter_paths):
+            filtered_c_sarif_paths.append(c_sarif_paths[i])
+    c_sarif["runs"] = filtered_c_sarif_paths
+    num_filtered_paths = len(c_sarif_paths) - len(filtered_c_sarif_paths)
+    LOGGER.info(f"Filtered {num_filtered_paths} paths from SARIF file")
+    with open("container.sarif", "w") as f:
+        json.dump(c_sarif, f, indent=2)
+
+
 def run_cmd(target_name, cmd):
     LOGGER.info(f"Running tests for {target_name}")
     LOGGER.info(f"{' '.join(cmd)}")
@@ -139,6 +179,9 @@ def main():
         if return_code != 0:
             failed_targets.append(target_name)
             result = 1
+        if target_spec["context"] in SARIF_PATH_FILTERS and args.command == "test":
+            LOGGER.info("Filtering SARIF output file for excluded paths...")
+            filter_sarif_file(target_spec)
     LOGGER.info(f"Failed targets: {failed_targets}")
     exit(result)
 

workbench-for-google-cloud-workstations/.snyk

@@ -11,12 +11,15 @@ ignore:
         created: 2024-07-02T20:33:30.847Z
   SNYK-GOLANG-GITHUBCOMGOJOSEGOJOSEV3-6070737:
     - '*':
-        reason: 'Reported upstream in https://github.com/rstudio/openid/issues/18'
-        expires: 2024-07-31T00:00:00.000Z
-        created: 2024-07-02T20:52:24.627Z
+        reason: >-
+          Confirmed fixed upstream in
+          https://github.com/rstudio/rstudio-pro/issues/6635. Patch will be
+          ingested in Workbench 2024.08.0 (expected within 1 week).
+        expires: 2024-08-07T00:00:00.000Z
+        created: 2024-07-31T17:46:24.852Z
   SNYK-GOLANG-GOLANGORGXNETHTTP2-6531285:
     - '*':
-        reason: 'Patched in later version https://cloud.google.com/support/bulletins#gcp-2024-023'
-        expires: 2024-07-31T00:00:00.000Z
-        created: 2024-07-03T16:16:45.000Z
+        reason: Vulnerability in Google Cloud SDK.
+        expires: 2024-09-01T00:00:00.000Z
+        created: 2024-07-31T19:45:25.728Z
 patch: {}

workbench-for-microsoft-azure-ml/.snyk

@@ -11,7 +11,10 @@ ignore:
         created: 2024-07-02T20:33:30.847Z
   SNYK-GOLANG-GITHUBCOMGOJOSEGOJOSEV3-6070737:
     - '*':
-        reason: 'Reported upstream in https://github.com/rstudio/openid/issues/18'
-        expires: 2024-07-31T00:00:00.000Z
-        created: 2024-07-02T20:52:24.627Z
+        reason: >-
+          Confirmed fixed upstream in
+          https://github.com/rstudio/rstudio-pro/issues/6635. Patch will be
+          ingested in Workbench 2024.08.0 (expected within 1 week).
+        expires: 2024-08-07T00:00:00.000Z
+        created: 2024-07-31T17:46:24.852Z
 patch: {}

workbench/.snyk

@@ -11,7 +11,10 @@ ignore:
         created: 2024-07-02T20:33:30.847Z
   SNYK-GOLANG-GITHUBCOMGOJOSEGOJOSEV3-6070737:
     - '*':
-        reason: 'Reported upstream in https://github.com/rstudio/openid/issues/18'
-        expires: 2024-07-31T00:00:00.000Z
-        created: 2024-07-02T20:52:24.627Z
+        reason: >-
+          Confirmed fixed upstream in
+          https://github.com/rstudio/rstudio-pro/issues/6635. Patch will be
+          ingested in Workbench 2024.08.0 (expected within 1 week).
+        expires: 2024-08-07T00:00:00.000Z
+        created: 2024-07-31T17:46:24.852Z
 patch: {}